The Security Frameworks are intended to address the application of security services in an Open Systems environment, where the term Open Systems is taken to include areas such as Database, Distributed Applications, ODP and OSI. The Security Frameworks are concerned with defining the means of providing protection for systems and objects within systems, and with the interactions between systems. The Security Frameworks are not concerned with the methodology for constructing systems or mechanisms.
The Security Frameworks address both data elements and sequences of operations (but not protocol elements) that are used to obtain specific security services. These security services may apply to the communicating entities of systems as well as to data exchanged between systems, and to data managed by systems.
In the case of Access Control, accesses may either be to a system (i.e. to an entity that is the communicating part of a system) or within a system. The information items that need to be presented to obtain the access, as well as the sequence of operations to request the access and for notification of the results of the access, are considered to be within the scope of the Security Frameworks. However, any information items and operations that are dependent solely on a particular application and that are strictly concerned with local access within a system are considered to be outside the scope of the Security Frameworks.
Many applications have requirements for security to protect against threats to resources, including information, resulting from the interconnection of Open Systems. Some commonly known threats, together with the security services and mechanisms that can be used to protect against them, in an OSI environment, are described in CCITT Rec. X.800 / ISO 7498-2.
The process of determining which uses of resources within an Open System environment are permitted and, where appropriate, preventing unauthorized access is called access control. This Recommendation / International Standard defines a general framework for the provision of access control services.
This Security Framework:
(a) defines the basic concepts for access control
(b) demonstrates the manner in which the basic concepts of access control can be specialized to support some commonly recognized access control services and mechanisms
(c) defines these services and corresponding access control mechanisms
(d) identifies functional requirements for protocols to support these access control services and mechanisms
(e) identifies management requirements to support these access control services and mechanisms
(f) addresses the interaction of access control services and mechanisms with other security services and mechanisms.
As with other security services, access control can be provided only within the context of a defined security policy for a particular application. The definition of access control policies is outside the scope of this Recommendation / International Standard, however, some characteristics of access control policies are discussed.
It is not a matter for this Recommendation / International Standard to specify details of the protocol exchanges which may need to be performed in order to provide access control services.
This Recommendation / International Standard does not specify particular mechanisms to support these access control services nor the details of security management services and protocols.
A number of different types of standard can use this framework including:
(a) standards that incorporate the concept of access control
(b) standards that specify abstract services that include access control
(c) standards that specify uses of an access control service
(d) standards that specify the means of providing access control within an Open System environment
(e) standards that specify access control mechanisms.
Such standards can use this framework as follows:
- standard types a, b, c, d, and e can use the terminology of this framework;
- standard types b, c, d, and e can use the facilities defined in clause 7 of this framework; and
- standard type e can be based upon the classes of mechanism defined in clause 8.